[midPoint] AD password question
Aivo Kuhlberg
aivo.kuhlberg at rmit.ee
Wed Aug 31 12:18:24 CEST 2016
Thanks, Michal, Roman,
I tried your solution Michal but seems that it does not work. Correct me if I am wrong but my understanding is that strength 'weak' works if there is no value present but I believe AD connector does not know anything about existing AD password and therefore is updating it every time when midPoint password is changed.
Roman your solution is very interesting and I try to implement it.
Best Regards,
Aivo Kuhlberg
________________________________
Saatja: midPoint <midpoint-bounces at lists.evolveum.com> nimelRoman Pudil - AMI Praha a.s. <roman.pudil at ami.cz>
Saadetud: 31. august 2016 12:22
Adressaat: midPoint General Discussion
Teema: Re: [midPoint] AD password question
Hi Aivo,
I have this solution - try:
- Remove "outbound" element from credentials
- create "after-add" action
After-Add action calls dsmod on cmdline of AD server:
<scripts>
<script>
<host>resource</host>
<language>Shell</language>
<argument>
<script>
<code>
currDN = '';
currADDispName = basic.stringify(basic.getExtensionPropertyValues(user, 'http://ami.cz/xml/ns/userExtension', 'currentADDisplayName'));
currADOrgUnit = basic.stringify(basic.getExtensionPropertyValues(user, 'http://ami.cz/xml/ns/userExtension', 'currentADOrgUnit'));
if (currADDispName != '' && currADOrgUnit != '') {
currDN = 'CN=' + currADDispName + ',' + currADOrgUnit + ',' + basic.getResourceIcfConfigurationPropertyValue(resource, 'Container');
log.info<http://log.info>('AD: Create NEW user {}', currDN);
}
return currDN;
</code>
</script>
<name>userDN</name>
</argument>
<argument>
<script>
<code>
log.info<http://log.info>('Init Pwd of user {} = {}',user.getName(),basic.decrypt(basic.getPropertyValue(user, 'credentials/password/value')));
return basic.decrypt(basic.getPropertyValue(user, 'credentials/password/value'));
</code>
</script>
<name>initPwd</name>
</argument>
<code>
IF "%userDN%" NEQ "" dsmod user "%userDN%" -disabled yes -pwd "%initPwd%" -mustchpwd yes
exit
</code>
<operation>add</operation>
<order>after</order>
</script>
</scripts>
Regards
Roman Pudil
st 31. 8. 2016 v 10:53 odesílatel Aivo Kuhlberg <aivo.kuhlberg at rmit.ee<mailto:aivo.kuhlberg at rmit.ee>> napsal:
Hi,
I am using midPoint 3.4 with .NET AD connector and here are my current schemaHandling password settings for AD connector:
<credentials>
<password>
<outbound/>
</password>
</credentials>
These settings means that AD user password changes every time when it is changed in midPoint.
I do not want to manage AD users passwords at the moment with midPoint but I still want to set AD user password in situation when midPoint creates a new AD account. In all other sync situations AD password should not be changed. How should I implement that?
Thanks,
Aivo Kuhlberg
________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Roman Pudil
solution architect
gsm: [+420] 775 663 666
e-mail: roman.pudil at ami.cz
AMI Praha a.s.
Plánickova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: www.ami.cz
________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160831/9cccf713/attachment.htm>
More information about the midPoint
mailing list